DNSSEC validation in CentOS Stream 9

Carsten Strotmann carsten at strotmann.de
Thu Sep 8 07:20:46 UTC 2022

Hello Josef,

On 8 Sep 2022, at 8:42, Josef Vybíhal via Unbound-users wrote:

> Hello everyone,
> maybe this will be obvious to some, but I have been scratching my head
> about this since yesterday.
> In CentOS Stream 9, when unbound installed from Appstream, I see that
> unbound returns insecure replies to clients. Which is not what I want,
> nor what I am used to. I am thinking this might be a packaging bug,
> compile option or config setting, but I can not figure out which and
> where. I am testing with untouched rpm package config.
> CentOS Stream 9 example:
> [root at 18 ~]# dig sigfail.verteiltesysteme.net @127.1 +short
> [root at 18 ~]# unbound-host -C /etc/unbound/unbound.conf -v
> sigok.verteiltesysteme.net has address (insecure)
> sigok.verteiltesysteme.net has IPv6 address 2001:638:501:8efc::139 (insecure)
> sigok.verteiltesysteme.net has no mail handler record (insecure)
> [root at 18 ~]# unbound -V
> Version 1.16.2

Red Hat removed (almost all) SHA1 support from RHEL 9 (including CentOS), which makes DNSSEC zones signed with RSASHA1 treated as insecure:


This affects the Red Hat build versions of Unbound and BIND 9 (as a resolver).

SHA1 for DNSSEC use is on its path to be deprecated <https://www.ietf.org/archive/id/draft-hardaker-dnsop-must-not-sha1-00.html>, but there are still zones that have not migrated to stronger DNSSEC algorithms.

See the discussion on this mailing list for some background <https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-April/007709.html>



More information about the Unbound-users mailing list